Ask Slashdot: What To Do When Finding a Security Breach On Shared Hosting?

Posted by Soulskill on Saturday October 27, 2012 @07:44AM from the responsible-disclosure-irresponsible-support dept.

An anonymous reader writes "A few months ago I stumbled across an interesting security hole with my webhost. I was able to access any file on the server, including those of other users. When I called the company, they immediately contacted the server team and said they would fix the problem that day. Since all you need when calling them is your username, and I was able to list out all 500 usernames on the server, this was rather a large security breach. To their credit, they did patch the server. It wasn't a perfect fix, but close enough that moving to a new web host was moved down on my list of priorities. Jump a head to this week: they experienced server issues, and I asked to be moved to a different server. Once it was done, the first thing I did was run my test script, and I was able to list out everyone's files again. The hosting company only applied the patch to old server. I'm now moving off this web host all together. However, I do fear for the thousands of customers that have no clue about this security issue. With about 10 minutes of coding, someone could search for the SQL connection string and grab the username/password required to access their hosting account. What's the best way to handle this type of situation?"

2 of 168 comments (clear)

Min score:

Reason:

Sort:

Do nothing by Gutboy · 2012-10-27 07:46 · Score: 5, Insightful

Move to a new host. Don't talk about the old host, don't post the script, don't describe it at all. You don't want the lawsuit/criminal charges that will follow.
1. Re:Do nothing by serialband · 2012-10-27 07:49 · Score: 5, Insightful
  
  You might want to tell them why you're moving to a new host. Explain that their security is insufficient for your needs which is why you're moving. You don't have to give them more detail than that.